On 9/15/2014 4:16 PM, Mike Perry wrote:
So far, other than more & more sites are in the "information gathering business," I can't imagine that most sites where I've seen Cloudfare captchas would be anti-Tor. Unless, information gathering has now become too profitable to let it slide by. Since they don't get much info from Tor users, perhaps they just make the process irritatingly difficult. Perhaps outside forces (read: 3 letter agencies) are putting pressure on some sites to discourage TBB use.Öyvind Saether:These captchas recently started appearing (more often) on all kinds of sites. By far the most common name that pops up associated with this security is "Cloudfare," but also some others. Aside from being forced to allow scripts in NoScript from Cloudfare for the captcha to work (or which ever one it is), it also seems to require allowing scripts from... Google.com.I too have noticed the Cloudflare annoyance on a wide variety of sites lately (not sure if more sites use Cloudflare or if Cloudfare has begun asking for a captcha in more cases).It has also proven to be buggy: I've gotten infinite captcha loops, no captchas, and broken no-JS support (even though ReCaptcha does support no-JS operation). I've also experienced repeated captchas even if I'm logged into a given site, and the captcha prompting has also caused me to lose web application state, form submissions, and authentication status on more than one occasion.
Yes, I've experienced most of the problems you mention. Like (but not limited to), after I've done the captcha & successfully gained site access, sometimes (not always?) it'll ask me to repeat the captcha process. That seems to often happen when changing pages (on the same base domain of the site). Even with 1st party cookies enabled. But it asking to repeat the captcha could also be from TBB's IP address changing?? Not sure.
Like oyvinds, usually as soon as I see the Cloudfare captcha page, I just close the tab & move on. And that's what I'll continue to do. If the sites using this have that much problem w/ spam, I do feel for them, but I also wish them luck in not driving most users away. I suspect they (or 3rd parties) are getting more out of it than just preventing spam / bots.
I don't care if the site or captcha process is broken or not. Aside from seeming to also require GOOGLE (which is enough to make me leave immediately), the process is too time consuming & doesn't work consistently - even when 1st arriving at the site & necessary js is enabled for required parties. Sometime the captcha image is truly unreadable. Sometimes refreshing the image results in equally unreadable ones. Sum total: Far too much hassle, even if it worked.
I think the next step here is to try to gather a list of cloudflare customers we suspect to be Tor friendly, and have them politely request that their Tor users not be discriminated in this way, and failing that, publicly leave Cloudflare for a competing ISP. I think pushback from actual CloudFlare customers will carry far more weight here than pushback from the Tor Project or the EFF. It also makes zero sense for CloudFlare to serve Tor users captchas at all if their customers are the ones paying the hosting bills and are happy to serve Tor users. For my part, I've noticed that nearly all of the Bitcoin web infrastructure is hosted on Cloudflare. Surely some of those people might be willing to speak up for us. Has anyone else noticed Cloudflare captchas on sites that they would otherwise expect to be run by Tor-friendly entities?
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk